Cybersecurity training and certifications, performance-based learning for individuals, organizations and instructors

Model-based process and performance assessments, including assessment methods and operations, and quality assurance

Maturity- and capability-based organizational accreditation and verification

Cybersecurity process and controls auditing and performance improvement

Why CMMC?

The DoD estimates that U.S. companies are losing over $6 billion USD each year in intellectual capital to competitors due to lack of any cybersecurity or awareness. Cyber attacks are on the increase and organizations must take action to protect Controlled Unclassified Information (CUI) and improve related cybersecurity processes and controls so important to national defense.

What is DoD’s Goal?

The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) recognizes that security is foundational to acquisition and cannot be treated as a “tradeoff” option along with cost, schedule, and performance. The DoD is committed to working with the DIB to enhance the protection of CUI and cyber controls and hygiene within the supply chain using the Cybersecurity Maturity Model Certification (CMMC) framework. CMMC assessments will target, review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced/progressive. For a given CMMC level, the associated controls and processes, when implemented, are designed to reduce risk against a specific set of cyber threats.

The CMMC effort builds upon existing regulation (DFARS 252.204-7012) that is based on a "trust yet verify" approach with respect to DoD cybersecurity requirements. The goal is for CMMC to be cost-effective and affordable for small businesses to implement at the lower CMMC levels. The intent is for certified independent 3rd party organizations to conduct CMMC assessments on DIB suppliers to improve their cybersecurity capabilities and to inform them on their risks.

Who are the Key Players?

OUSD(A&S) is working with DoD stakeholders, academia, Federally Funded Research and Development Centers (FFRDCs), and industry to develop and then implement the Cybersecurity Maturity Model Certification (CMMC) program. The CMMC Accreditation Body (AB) was established in January, 2020, and the Memorandum of Understanding (MOU) between the DoD and CMMC AB to setup and operate the CMMC program was signed in March.  The AB has established numerous working groups to get the initial aspects of the ecosystem in place in Q1 and Q2 of 2020.

ISACA’s Subject Matter Experts, and Certified CMMI Lead Appraisers Ron Lear, and Kevin Schaaff, have been active members of the CMMC Accreditation Body’s CMMC Assessment Methodology Working Groups since inception.   This includes the Assessment Methodology Working Group and the Accelerated Assessment Working Group, which were combined into a single working group in July of 2020.  As part of these two critical CMMC AB Working Groups, Mr. Lear and Mr. Schaaff were the primary authors for the current CMMC Assessment Methodology, integrated processes and training content and related materials.  Both remain currently active in the WG activities as the CMMC ecosystem moves into its initial launch phase.

Read our latest CMMC Blog Post!